24.6.05

A report from a colleague in industry (who prefers to remain anonymous) comparing Erlang with traditional web architectures. A detailed assessment that should be useful input to the design of Links. Many thanks to my nameless friend!

As for the references to security, both in the above comment as well as in the paper, the comments are in my mind no issues.

A Web application needs to be open on the public side on port 80 and that's it. It's just a matter of configuring the firewall correctly, be it an upstream real fw or iptables rules on the target webserver machine itself.

If yaws is used, I have a real hard time to see how port 80 access into the webserver could be a security issue. It's far more easy to make a secure webapp in erlang/yaws than it is with other more mainstream technologies.

Once I have a cluster of machines set up, I have set up host-based trusts between them using ssh.

If, for whatever reason, a bad guy gets access to one machine, they have access to them all.

The security flaw could be anything, a service that shouldn't have been running, a firewall port left open by mistake, whatever, but the reality of the situation is that there is an automatic privilege escalation.

In an enterprise system installed under bastion security I would expect to require 2, or preferably 3 separate security breaches before getting access to data. To do that with an Erlang cluster requires building a whole, functionality-free wrapper as a buffer between the customer and the cluster.

This also potentially obviates the benefits afforded by using Eddie to manage load-balancing and internet dial-tone.